Search Images Maps Play YouTube News Gmail Drive More »
Sign in
Screen reader users: click this link for accessible mode. Accessible mode has the same essential features but works better with your reader.

Patents

  1. Advanced Patent Search
Publication numberUS7065210 B1
Publication typeGrant
Application numberUS 09/489,696
Publication dateJun 20, 2006
Filing dateJan 24, 2000
Priority dateJan 25, 1999
Fee statusLapsed
Publication number09489696, 489696, US 7065210 B1, US 7065210B1, US-B1-7065210, US7065210 B1, US7065210B1
InventorsShigeo Tsujii, Masao Kasahara
Original AssigneeMurata Kikai Kabushiki Kaisha
Export CitationBiBTeX, EndNote, RefMan
External Links: USPTO, USPTO Assignment, Espacenet
Secret key generation method, encryption method, cryptographic communications method, common key generator, cryptographic communications system, and recording media
US 7065210 B1
Abstract
A cryptographic communications method based on ID-NIKS, wherewith mathematical structures are minimized, the collusion problem can be circumvented, and building the cryptosystem is simplified. A plurality of centers are provided for distributing a plurality of secret keys to a plurality of entities, respectively. Each secret key is unique to each entity. Information specifying the entities (entity ID information) is divided into a plurality of pieces or segments. All secret keys produced for the pieces of entity ID information are distributed to the entities. Using a component contained in the secret key peculiar to itself, each entity generates a common key to be shared by another entity. This component corresponds to a piece of ID information of another entity.
Images(6)
Previous page
Next page
Claims(15)
1. A cryptographic communications method for communications of information between entities wherein a plurality of centers are provided, each of which generates secret keys peculiar to the entities using divided pieces of information resulting from division of information specifying each of the entities, the divided information used to generate the secret keys allowing diminished sizes of the secret keys; one entity generates a first common key using a first component contained in at least one secret key generated by at least one of the plurality of centers, the secret key being peculiar to the one entity, encrypts plaintext to ciphertext using the first common key and sends the ciphertext to another entity, the first component corresponding to one or more of the divided pieces of information specifying said another entity; and said another entity generates a second common key identical to the first common key using a second component contained in secret keys peculiar to the another entity sent from said centers, and decrypts said ciphertext to the original plaintext using the second common key, the second component corresponding to one or more of the divided pieces of information specifying the one entity.
2. A cryptographic communications method for communicating information between entities wherein:
secret keys peculiar to said entities are sent from a center to said entities;
one entity encrypts plaintext to ciphertext using a first common key derived from a first secret key peculiar to the one entity sent from said center and sends the ciphertext to another entity;
said another entity decrypts said ciphertext to the original plaintext using a second common key identical to the first common key, the second common key being derived from a second secret key peculiar to said another entity sent from said center, characterized in that;
a plurality of said centers are deployed;
each of said plurality of centers generates secret keys peculiar to said entities by adding random numbers peculiar to said entities to divided pieces of information resulting from division of information specifying each of said entities, the divided information used to generate the secret keys allowing diminished sizes of the secret keys; and
each of said entities generates a common key using a component, contained in the secret key peculiar to that selfsame entity, corresponding to one or more of the divided pieces of information obtained from each of said plurality of centers which specify an opposite entity.
3. The cryptographic communications method according to claim 2, wherein computation formulas for generating secret keys at said centers are as follows:
S i1 g α j1 H 1 [ I j1 ] ( mod P ) S i2 α j2 H 2 [ I j2 ] ( mod P - 1 ) S iK α jK H K [ I jK ] ( mod P - 1 )
where
vector sij is a secret key corresponding to j'th piece of divided information specifying entity i (j=1, 2, . . . , K)
[vector Iij] is j'th piece of divided information specifying entity i;
P is a prime number;
K is number of divisions in the information specifying entity i;
g is primitive element for GF (P);
Hj is a symmetrical 2M×2M matrix made up of random numbers;
M is size of divisions in the information specifying entity i; and
αij is a personal secret random number for entity i (where αi1 . . . αiK≡1 (mod P−1)).
4. The cryptographic communications method according to claim 3, wherein computation formulas for generating common keys at said entities are as follows:
K im S i1 [ I m1 ] S i2 [ I m2 ] S iK [ I mK ] g α i1 α iK H 1 [ I i1 ] [ I m1 ] H K [ I iK ] [ I mK ] g H i [ I i1 ] [ I m1 ] ⋯H K [ I iK ] [ I mK } ( mod P )
where
Kim is common key generated by one entity i for another entity m; and
vector sij [vector Iij] is a component contained in secret key vector sij of entity i, corresponding to divided piece of information specifying entity m.
5. A cryptographic communications system for reciprocally performing, between a plurality of entities, encrypting processing for encrypting plaintext that is information to be sent into ciphertext and decrypting processing for decrypting ciphertext so sent back into original plaintext; comprising:
a plurality of centers that generate secret keys peculiar to said entities using pieces of information resulting from division of information specifying each of said entities and that sends said secret keys to said entities, the divided information used to generate the secret keys allowing diminished sizes of the secret keys; and
a plurality of entities each of which generates a common key employed mutually in said encryption and decryption processing when communicating with another entity, using a component corresponding to a divided specified information to each entity, contained in own secret key sent from the centers, the component further corresponding to one or more pieces of information specifying said another entity.
6. A cryptographic communications method for communications of information between entities wherein a plurality of centers are provided, each of which generates secret keys peculiar to the entities using divided specifying information resulting from division of information specifying each of the entities into a plurality of blocks, the divided information used to generate the secret keys allowing diminished sizes of the secret keys; one entity generates a first common key using a first component contained in secret keys peculiar to the one entity sent from the centers, encrypts plaintext to ciphertext using the first common key and sends the ciphertext to another entity, the first component corresponding to one or more of the divided pieces of information specifying said another entity; and said another entity generates a second common key identical to the first common key using a second component contained in secret keys peculiar to the another entity sent from said centers, and decrypts said ciphertext to the original plaintext using the second common key, the second component corresponding to one or more of the divided pieces of information specifying the one entity; secret keys for first block of divided specifying information have a multi-layer structure; and secret keys for remaining blocks of divided specifying information have a single-layer structure.
7. A secret key generation method for generating secret keys peculiar to entities using divided specifying information resulting from division of information specifying said entities into a plurality of blocks, the divided information used to generate the secret keys allowing diminished sizes of the secret keys, each entity generating a common key by using a component corresponding to the divided specifying information of another entity, wherein:
computation formulas for generating said secret keys are as follows:
S i1 = α i H 1 [ I i1 ] + β i1 1 S i2 = α 1 H 2 [ I i2 ] + β i2 1 S ij = α i H j [ I ij ] + β ij 1 S iK = α i H K [ I iK ] + β iK 1 g i0 g α i - T 1 ( mod N ) g i1 g α i - T S i1 ( mod N ) g i2 g α i - T < S i1 > 2 ( mod N ) g it g α i - T < S i1 > t ( mod N ) g iT g α i - T < S i1 > T ( mod N )
where
vector sij is a secret key corresponding to j'th divided specifying information for entity i (j=1, 2, . . . , K)
[vector Iij] is j'th divided specifying information for entity i;
vector 1 is a vector of dimension K wherein all components are 1;
Hj is a symmetrical 2Mj×2Mj matrix made up of random numbers;
Mj is size of j'th divided specifying information for entity i;
K is number of block divisions in information specifying entity i;
αi is a personal secret random number for entity i (where gcd (αi, λ(N))=1 and λ(·) is Carmichael function);
N is such that N=PQ (where P and Q are prime);
βij is a personal secret random number for entity i (where βi1i2+ . . . +βiK=λ(N));
g is maximum generating element with modulo N;
vector git is a secret key for 1st block of specifying information for entity i (t=0, 1, 2, . . . , T);
T is degree of exponent portion; and
if c is a scalar, and A and B are matrixes represented in (i) and (ii) below, then the expressions B=cA and B=<A>c represent (iii) and (iv) below, respectively
(i) A=(aμν)
(ii) B=(bμν)
(iii) bμν=ca μν
(iv) bμν=aμν c.
8. An encryption method wherein:
secret keys peculiar to entities are generated using divided specifying information resulting from division of information specifying each of said entities into a plurality of blocks, the divided information used to generate the secret keys allowing diminished sizes of the secret keys, each entity generating a common key by using a component corresponding to the divided specifying information of another entity;
plaintext is encrypted to ciphertext at one entity using a common key generated using a component contained in the secret key peculiar to the one entity, the component corresponding to divided specifying information for another entity that is a destination of said ciphertext; and
computation formulas for generating said secret keys peculiar to said entities are as follows:
S i1 = α i H 1 [ I i1 ] + β i1 1 S i2 = α 1 H 2 [ I i2 ] + β 12 1 S ij = α i H j [ I ij ] + β ij 1 S iK = α i H K [ I iK ] + β iK 1 g i0 g α i - T 1 ( mod N ) g i1 g α i - T S i1 ( mod N ) g i2 g α i - T < S i1 > 2 ( mod N ) g it g α i - T < S i1 > t ( mod N ) g iT g α i - T < S i1 > T ( mod N )
where
vector sij is a secret key corresponding to j'th divided specifying information for entity i (j=1, 2, . . . , K)
[vector Iij] is j'th divided specifying information for entity i;
vector 1 is a vector of dimension K wherein all components are 1;
Hj is a symmetrical 2Mj×2Mj matrix made up of random numbers;
Mj is size of j'th divided specifying information for entity i;
K is number of block divisions in information specifying entity i;
αi is a personal secret random number for entity i
(where gcd (αi, λ(N))=1 and λ(·) is Carmichael function);
N is such that N=PQ (where P and Q are prime);
βij is a personal secret random number for entity i
(where βi1i2+ . . . +βiK=λ(N));
g is maximum generating element with modulo N;
vector git is a secret key for 1st block of specifying information for entity i (t=0, 1, 2, . . . , T);
T is degree of exponent portion; and
if c is a scalar, and A and B are matrixes represented in (i) and (ii) below, the expressions B=cA and B=<A>c represent (iii) and (iv) below, respectively
(i) A=(aμν)
(ii) B=(bμν)
(iii) bμν=ca μν
(iv) bμν=aμν c.
9. The encryption method according to claim 8, wherein computation formulas for generating said common keys are as follows:
g 0 im = g io [ I m1 ] g 1 im = g i1 [ I m1 ] g tim = g it [ I m1 ] g Tim = g iT [ I m1 ] x 21 m = s i2 [ I m2 ] x i1m = s ij [ I mj ] x Kim = s iK [ I mK ] K im t = 0 T g t im T C t y im ( T - t ) g α i - T t = 0 T T Cx 1 im t y im T - t g α i - T ( x 1 im + y im ) T g α i - T ( x 1 im + · + x kim ) T g α i - T ( α i H 1 [ I i1 ] [ I m1 ] + β i1 + · + α i H K [ I iK ] [ I mK ] + β 1 K ) T g α i - T ( α i H 1 [ I i1 ] [ I m1 ] + · + H K [ I iK ] [ I mK ] + λ ( N ) ) T g α i - T ( α i ( H 1 [ I i1 ] [ I m1 ] + · + H K [ I iK ] [ I mK ] ) ) T g ( H 1 [ I i1 ] [ I m1 ] + · + H K [ I iK ] { I mK ] ) ( mod N )
where
gtim (=vector git [vector Im1]) is a component corresponding to vector Im1 for entity m, selected from own vector git for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);
xlim=vector Sil [vector Iml];
xjim (=vector sij [vector Imj]) is a component corresponding to vector Imj for entity m, selected from own vector sij for j'th block of information specifying entity i (j=2, 3, . . . , K);
Kim is a common key generated by one entity i for another entity m; and
yim is sum of (K-1) components xjim (j=2, 3, . . . , K), that is, yim=x2im+x3im+ . . . +xKim.
10. A cryptographic communications method for communications of information between entities, wherein
a plurality of centers are deployed, each of which generates secret keys peculiar to said entities using divided specifying information resulting from division of information specifying each of said entities into a plurality of blocks, the divided information used to generate the secret keys allowing diminished sizes of the secret keys, and sends the secret keys to the entities respectively;
one entity generates a first common key using a first component contained in secret keys peculiar to the one entity sent from the centers, encrypts plaintext to ciphertext using the first common key, and sends the ciphertext to said another entity, the first component corresponding to divided specifying information for another entity;
said another entity generates a second common key identical to the first common key using a second component contained in secret keys peculiar to said another entity sent from the centers, and decrypts said ciphertext using the second common key, the second component corresponding to divided specifying information for the one entity; and
computation formulas for generating said secret keys at said centers are as follows:
S i1 = α i H 1 [ I i1 ] + β i1 1 S i2 = α i H 2 [ I i2 ] + β i2 1 S ij = α i H j [ I ij ] + β ij 1 S i K = α i H K [ I i K ] + β i K 1 g i0 g α i - T 1 ( mod N ) g i1 g α i - T S i1 ( mod N ) g i2 g α i - T < S i1 > 2 ( mod N ) g 1 t g α i - T < S i1 > t ( mod N ) g 1 T g α i - T < S i1 > T ( mod N )
where
vector sij is a secret key corresponding to j'th divided specifying information for entity i (j=1, 2, . . . , K)
[vector Iij] is j'th divided specifying information for entity i;
vector 1 is a vector of dimension K wherein all components are 1;
Hj is a symmetrical 2Mj×2Mj matrix made up of random numbers;
Mj is size of j'th divided specifying information for entity i;
K is number of block divisions in information specifying entity i;
αi is a personal secret random number for entity i (where gcd (αi, λ(N))=1 and λ(·) is Carmichael function);
N is such that N=PQ (where P and Q are prime);
βij is a personal secret random number for entity i (where βi1i2+ . . . +βiK=λ(N));
g is maximum generating element with modulo N;
vector git is a secret key for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);
T is degree of exponent portion; and
if c is a scalar, and A and B are matrixes represented in (i) and (ii) below, the expressions B=cA and B=<A>c represent (iii) and (iv) below, respectively
(i) A=(aμ y )
(ii) B=(bμ y )
(iii) bμ y =ca μ y
(iv) bμ y =aμ y c.
11. The cryptographic communications method according to claim 10, wherein computation formulas for generating said common keys are as follows:
g 0 im = g i0 [ I m1 ] g 1 im = g i1 [ I m1 ] g tim = g it [ I m1 ] g Tim = g iT [ I m1 ] x 2 im = s i2 [ I m2 ] x jim = s ij [ I mj ] x K im = s i K [ I m K ] K im t = 0 T g tim T C t y j m ( T - t ) g α 1 - T t = 0 T T Cx 1 im t y im T - t g α 1 - T ( x 1 im + y im ) T g α 1 - T ( x 1 im + · + x kim ) T g α 1 - T ( α i H 1 [ I j1 ] [ I m1 ] + β i1 + · + α i H K [ I 1 k ] [ I mK ] + β iK ) T g α 1 - T ( α i H 1 [ I j1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] + λ ( N ) ) T g α 1 - T ( α i ( H 1 [ I i1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] ) ) T g ( H 1 [ I j1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] ) T ( mod N )
where
gtim(=vector git [vector Im1]) is a component corresponding to vector Im1 for entity m, selected from own vector git for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);
xlim=vector sil [vector Iml];
xjim (=vector sij [vector Imj]) is a component corresponding to vector Imj for entity m, selected from own vector sij for j'th block of information specifying entity i (j=2, 3, . . . , K);
Kim is a common key generated by one entity i for another entity m; and
yim is sum of (K-1) components xjim (=2, 3, . . . , K), that is, yim=x2im+x3im+ . . . +xKim.
12. A common key generator provided at entities in a cryptographic communications system for generating a common key to be used in processing to encrypt plaintext to ciphertext and in processing to decrypt ciphertext back to plaintext, comprising:
storage means for storing secret keys peculiar to said entities produced, according to computation formulas given below, for divided specifying information resulting from division of information specifying each of said entities into a plurality of blocks, the divided information used to generate the secret keys allowing diminished sizes of the secret keys, each entity generating a common key by using a component corresponding to the divided specifying information of another entity;
selection means for selecting components corresponding to divided specifying information for opposite entities to be communicated with, from the secret keys stored; and
means for generating said common keys, according to computation formulas given below, using said components so selected:
S i1 = α i H 1 [ I i1 ] + β i1 1 S i2 = α i H 2 [ I i2 ] + β i2 1 S ij = α i H j [ I ij ] + β ij 1 S i K = α i H K [ I i K ] + β i K 1 g i0 g α i - T 1 ( mod N ) g i1 g α i - T S i1 ( mod N ) g i2 g α i - T < S i1 > 2 ( mod N ) g 1 t g α i - T < S i1 > t ( mod N ) g 1 T g α i - T < S i1 > T ( mod N )
where
vector sij is a secret key corresponding to j'th divided specifying information for entity i (j=1, 2, . . . , K)
[vector Iij] is j'th divided specifying information for entity i;
vector 1 is a vector of dimension K wherein all components are 1;
Hj is a symmetrical 2Mj×2Mj matrix made up of random numbers;
Mj is size of j'th divided specifying information for entity i;
K is number of block divisions in information specifying entity i;
αi is a personal secret random number for entity i (where gcd (αi, λ(N))=1 and λ(·) is Carmichael function);
N is such that N=PQ (where P and Q are prime);
βij is a personal secret random number for entity i (where βi1i2+ . . . +βiK=λ(N));
g is maximum generating element with modulo N;
vector git is a secret key for 1st block of information specifying entity i (t=0, 1, 2 . . . , T);
T is degree of exponent portion; and
if c is a scalar, and A and B are matrixes represented in (i) and (ii) below, the expressions B=cA and B=<A>c represent (iii) and (iv) below, respectively
(i) A=(aμν)
(ii) B=(bμν)
(iii) bμν=ca μν
(iv) bμν=aμν c
g 0 im = g i0 [ I m1 ] g 1 im = g i1 [ I m1 ] g tim = g it [ I m1 ] g Tim = g iT [ I m1 ] x 2 im = s i2 [ I m2 ] x jim = s ij [ I mj ] x K im = s i K [ I m K ] K im t = 0 T g tim T C t y j m ( T - t ) g α 1 - T t = 0 T T Cx 1 im t y im T - t g α 1 - T ( x 1 im + y im ) T g α 1 - T ( x 1 im + · + x kim ) T g α 1 - T ( α i H 1 [ I j1 ] [ I m1 ] + β i1 + · + α i H K [ I 1 k ] [ I mK ] + β iK ) T g α 1 - T ( α i H 1 [ I j1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] + λ ( N ) ) T g α 1 - T ( α i ( H 1 [ I i1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] ) ) T g ( H 1 [ I j1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] ) T ( mod N )
where
gtim (=vector git [vector Im1]) is a component corresponding to vector Im1 for entity m, selected from own vector git for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);
xlim=vector sil [vector Iml];
xjim (=vector sij [vector Imj]) is a component corresponding to vector Imj for entity m, selected from own vector sij for j'th block of information specifying entity i (j=2, 3, . . . , K);
Kim is a common key generated by one entity i for another entity m; and
yim is sum of (K-1) components xjim (j=2, 3, . . . , K), that is, yim=x2im+x3im+ . . . +xKim.
13. A cryptographic communications system for reciprocally performing, between a plurality of entities, encryption processing for encrypting plaintext that is information to be sent into ciphertext and decryption processing for decrypting ciphertext so sent back into original plaintext, comprising:
a plurality of centers each of which generates secret keys peculiar to said entities, according to computation formulas given below, using divided specifying information resulting from division of information specifying each of said entities into a plurality of blocks, the divided information used to generate the secret keys allowing diminished sizes of the secret keys, and sends said secret keys to said entities; and
a plurality of entities each of which generates a common key mutually employed in said encryption and decryption processing when communicating with another entity, according to computation formulas given below, using a component contained in own secret key sent from said centers, the component corresponding to divided specifying information for said another entity:
S i1 = α i H 1 [ I i1 ] + β i1 1 S i2 = α i H 2 [ I i2 ] + β i2 1 S ij = α i H j [ I ij ] + β ij 1 S i K = α i H K [ I i K ] + β i K 1 g i0 g α i - T 1 ( mod N ) g i1 g α i - T S i1 ( mod N ) g i2 g α i - T < S i1 > 2 ( mod N ) g 1 t g α i - T < S i1 > t ( mod N ) g 1 T g α i - T < S i1 > T ( mod N )
where
vector sij is a secret key corresponding to j'th divided specifying information for entity i (j=1, 2, . . . , K)
[vector Iij] is j'th divided specifying information for entity i;
vector 1 is a vector of dimension K wherein all components are 1;
Hj is a symmetrical 2Mj×2Mj matrix made up of random numbers;
Mj is size of j'th divided specifying information for entity i;
K is number of block divisions in information specifying entity i;
αi is a personal secret random number for entity i (where gcd (αi, λ(N))=1 and λ(·) is Carmichael function);
N is such that N=PQ (where P and Q are prime);
βij is a personal secret random number for entity i (where βi1i2+ . . . +βiK=λ(N));
g is maximum generating element with modulo N;
vector git is a secret key for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);
T is degree of exponent portion; and
if c is a scalar, and A and B are matrixes represented in (i) and (ii) below, the expressions B=cA and B=<A>c represent (iii) and (iv) below, respectively
(i) A=(aμν)
(ii) B=(bμν)
(iii) bμν=ca μν
(iv) bμν=aμν c
g 0 im = g i0 [ I m1 ] g 1 im = g i1 [ I m1 ] g tim = g it [ I m1 ] g Tim = g iT [ I m1 ] x 2 im = s i2 [ I m2 ] x jim = s ij [ I mj ] x K im = s i K [ I m K ] K im t = 0 T g tim T C t y j m ( T - t ) g α 1 - T t = 0 T T Cx 1 im t y im T - t g α 1 - T ( x 1 im + y im ) T g α 1 - T ( x 1 im + · + x kim ) T g α 1 - T ( α i H 1 [ I j1 ] [ I m1 ] + β i1 + · + α i H K [ I 1 k ] [ I mK ] + β iK ) T g α 1 - T ( α i H 1 [ I j1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] + λ ( N ) ) T g α 1 - T ( α i ( H 1 [ I i1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] ) ) T g ( H 1 [ I j1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] ) T ( mod N )
where
gtim (=vector git [vector Im1]) is a component corresponding to vector Im1 for entity m, selected from own vector git for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);
xlim=vector sil [vector Iml];
xjim (=vector sij [vector Imj]) is a component corresponding to vector Imj for entity m, selected from own vector sij for j'th block of information specifying entity i (j=2, 3, . . . , K);
Kim is a common key generated by one entity i for another entity m; and
yim is sum of (K-1) components xjim (j=2, 3, . . . , K), that is, yim=x2im+x3im+ . . . +xKim.
14. A computer readable recording medium embodied in a tangible physical object for storing a program that generates at entities involved in communications a common key mutually used in processing to encrypt plaintext to ciphertext and in processing to decrypt said ciphertext back to said plaintext in a cryptographic communications system, comprising:
first program code means for causing said computer to select a component corresponding to divided specifying information of one entity that is a ciphertext recipient from a secret key peculiar to another entity that is a ciphertext sender, according to computation formulas given below, for each of divided specifying information resulting from division of information specifying each of said entities into a plurality of blocks, the divided information allowing a diminished size of the secret key; and
second program code means for causing said computer to generate said common key, according to computation formulas given below, using said components selected:
S i1 = α i H 1 [ I i1 ] + β i1 1 S i2 = α i H 2 [ I i2 ] + β i2 1 S ij = α i H j [ I ij ] + β ij 1 S i K = α i H K [ I i K ] + β i K 1 g i0 g α i - T 1 ( mod N ) g i1 g α i - T S i1 ( mod N ) g i2 g α i - T < S i1 > 2 ( mod N ) g it g α i - T < S i1 > t ( mod N ) g iT g α i - T < S i1 > T ( mod N )
where
vector sij is a secret key corresponding to j'th divided specifying information for entity i (j=1, 2, . . . , K)
[vector Iij] is j'th divided specifying information for entity i;
vector 1 is a vector of dimension K wherein all components are 1;
Hj is a symmetrical 2Mj×2Mj matrix made up of random numbers;
Mj is size of j'th divided specifying information for entity i;
K is number of block divisions in information specifying entity i;
αi is a personal secret random number for entity i (where gcd (αi, λ(N))=1 and λ(·) is Carmichael function);
N is such that N=PQ (where P and Q are prime);
βij is a personal secret random number for entity i (where βi1i2+ . . . +βiK=λ(N));
g is maximum generating element with modulo N;
vector git is a secret key for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);
T is degree of exponent portion; and
if c is a scalar, and A and B are matrixes represented in (i) and (ii) below, the expressions B=cA and B=<A>c represent (iii) and (iv) below, respectively
(i) A=(aμν)
(ii) B=(bμν)
(iii) bμν=ca μν
(iv) bμν=aμν c
g 0 im = g i0 [ I m1 ] g 1 im = g i1 [ I m1 ] g tim = g it [ I m1 ] g Tim = g iT [ I m1 ] x 2 im = s i2 [ I m2 ] x jim = s ij [ I mj ] x K im = s i K [ I m K ] K im t = 0 T g tim T C t y j m ( T - t ) g α 1 - T t = 0 T T Cx 1 im t y im T - t g α 1 - T ( x 1 im + y im ) T g α 1 - T ( x 1 im + · + x kim ) T g α 1 - T ( α i H 1 [ I j1 ] [ I m1 ] + β i1 + · + α i H K [ I 1 k ] [ I mK ] + β iK ) T g α 1 - T ( α i H 1 [ I j1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] + λ ( N ) ) T g α 1 - T ( α i ( H 1 [ I i1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] ) ) T g ( H 1 [ I j1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] ) T ( mod N )
where
gtim (=vector git [vector Im1]) is a component corresponding to vector Im1 for entity m, selected from own vector git for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);
xlim=vector sil[vector Iml];
xjim (=vector sij [vector Imj]) is a component corresponding to vector Imj for entity m, selected from own vector sij for j'th block of information specifying entity i (j=2, 3, . . . , K);
Kim is a common key generated by one entity i for another entity m; and
yim is sum of (K-1) components xjim (j=2, 3, . . . , K), that is, yim=x2im+x3im+ . . . +xKim.
15. A computer readable program embodied in a tangible physical object for generating at entities involved in communications a common key mutually used in processing to encrypt plaintext to ciphertext and in processing to decrypt said ciphertext back to said plaintext in a cryptographic communications system, comprising:
first code segment for causing a computer to select a component corresponding to divided specifying information of one entity that is a ciphertext recipient from a secret key peculiar to another entity that is a ciphertext sender, according to computation formulas given below, for each of divided specifying information resulting from division of information specifying each of said entities into a plurality of blocks, the divided information allowing a diminished size of the secret key; and
second code segment for causing said computer to generate said common key, according to computation formulas given below, wherein said computer generates said common keys by using a component corresponding to the divided specifying information of another computer, using said components selected:
S i1 = α i H 1 [ I i1 ] + β i1 1 S i2 = α i H 2 [ I i2 ] + β i2 1 S ij = α i H j [ I ij ] + β ij 1 S i K = α i H K [ I i K ] + β i K 1 g i0 g α i - T 1 ( mod N ) g i1 g α i - T S i1 ( mod N ) g i2 g α i - T < S i1 > 2 ( mod N ) g 1 t g α i - T < S i1 > t ( mod N ) g 1 T g α i - T < S i1 > T ( mod N )
where
vector sij is a secret key corresponding to j'th divided specifying information for entity i (j=1, 2, . . . , K)
[vector Iij] is j'th divided specifying information for entity i;
vector 1 is a vector of dimension K wherein all components are 1;
Hj is a symmetrical 2Mj×2Mj matrix made up of random numbers;
Mj is size of j'th divided specifying information for entity i;
K is number of block divisions in information specifying entity i;
αi is a personal secret random number for entity i (where gcd (αi, λ(N))=1 and λ(·) is Carmichael function);
N is such that N=PQ (where P and Q are prime);
βij is a personal secret random number for entity i (where βi1i2+ . . . +βiK=λ(N));
g is maximum generating element with modulo N;
vector git is a secret key for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);
T is degree of exponent portion; and
if c is a scalar, and A and B are matrixes represented in (i) and (ii) below, the expressions B=cA and B=<A>c represent (iii) and (iv) below, respectively
(i) A=(aμν)
(ii) B=(bμν)
(iii) bμν=ca μν
(iv) bμν=aμν c
g 0 im = g i0 [ I m1 ] g 1 im = g i1 [ I m1 ] g tim = g it [ I m1 ] g Tim = g iT [ I m1 ] x 2 im = s i2 [ I m2 ] x jim = s ij [ I mj ] x K im = s i K [ I m K ] K im t = 0 T g tim T C t y j m ( T - t ) g α 1 - T t = 0 T T Cx 1 im t y im T - t g α 1 - T ( x 1 im + y im ) T g α 1 - T ( x 1 im + · + x kim ) T g α 1 - T ( α i H 1 [ I j1 ] [ I m1 ] + β i1 + · + α i H K [ I 1 k ] [ I mK ] + β iK ) T g α 1 - T ( α i H 1 [ I j1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] + λ ( N ) ) T g α 1 - T ( α i ( H 1 [ I i1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] ) ) T g ( H 1 [ I j1 ] [ I m1 ] + · + H K [ I 1 k ] [ I mK ] ) T ( mod N )
where
gtim (=vector git [vector Im1]) is a component corresponding to vector Im1 for entity m, selected from own vector git for 1st block of information specifying entity i (t=0, 1, 2, . . . , T);
xlim=vector sil [vector Iml];
xjim (=vector sij [vector Imj]) is a component corresponding to vector Imj for entity m, selected from own vector sij for j'th block of information specifying entity i (j=2, 3, . . . , K);
Kim is a common key generated by one entity i for another entity m; and
yim is sum of (K-1) components xjim (j=2, 3, . . . , K), that is, yim=x2im+x3im++. . . xKim.
Description
BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates to a secret key generation method for generating secret keys peculiar to entities, to an encryption method for encrypting information so that it will be unintelligible to any but an authorized party, and to a cryptographic communications method which performs communications with ciphertext.

2. Description of the Related Art

In today's world, characterized by sophisticated information utilization, important business documents and image information are transmitted and processed in the form of electronic information over an infrastructure of computer networks. By its very nature, electronic information can be easily copied, making it extremely difficult to distinguish between the copy and the original, and information security has become a very serious problem. The realization of computer networks which support “shared computer resources,” “multi-access,” and “broad-area implementation” is particularly indispensable to the establishment of a high-level information society. However, that very realization involves aspects which are inconsistent with the security of information exchanged between authorized parties. An effective technique for eliminating that inconsistency is encryption technology, which up until now, in the course of human history, has been primarily used in the fields of military operations and foreign diplomacy.

Cryptography is the process of exchanging information so that its meaning cannot be understood by anyone other than the authorized parties. In cryptographic operations, the conversion of the original text (plaintext) that anyone can understand to text (ciphertext) the meaning of which cannot be understood by a third party is called encryption, and the restoration of the ciphertext to plaintext is called decryption. The overall system wherein this encryption and decryption are performed is called a cryptosystem. In the processes of encryption and decryption, respectively, secret information called encryption keys and decryption keys are employed. A secret decryption key is necessary at the time of decryption, wherefore only a party knowledgeable of that decryption key can decrypt the ciphertext. Accordingly, the confidentiality of the information is maintained by the encryption.

The encryption key and decryption key may be the same or they may be different. A cryptosystem wherein both keys are the same is called a common key cryptosystem, and the DES (Data Encryption Standards) adopted by the Bureau of Standards of the U.S. Department of Commerce is a typical example thereof. Conventional examples of such common key encryption schemes can be divided into the following three types.

(1) Type 1

Methods wherewith all common keys to be shared with possible parties in cryptographic communications are held in secret.

(2) Type 2

Methods wherewith keys are mutually shared by a preparatory communication each time cryptographic communications are conducted (including Diffie-Hellman-based key sharing scheme, key distribution scheme based on public key schemes, etc.).

(3) Type 3

Methods wherewith disclosed identification information (ID information)) that specifies an individual, such as user (entity) name and address, etc., is used, and both the sending entity and receiving entity independently generate the same common key without preparatory communications (including KPS (key predistribution systems), ID-NIKS (ID-based non-interactive key sharing schemes), etc.).

Such conventional methods as seen in these three types of schemes are subject to the problems described below. With method 1, since all of the common keys are stored, this scheme is unsuitable for a network society wherein an unspecified large number of users become entities and conduct cryptographic communications. With method 2, there is a problem in that preparatory communications are required for key sharing.

Method 3 is a convenient method because it requires no preparatory communications, and a common key with any opposite party can be generated using the disclosed ID information of the opposite party together with characteristic secret parameters distributed beforehand from a center. Nevertheless, this scheme is subject to the following two problems. Firstly, the center must become a “big brother” (creating a key escrow system wherein the center holds the secrets of all of the entities). Secondly, there is a possibility that some number of entities could collude to compute the center secrets. In the face of this collusion problem, many innovative techniques have been devised to circumvent the problem by way of computation volume, but a complete solution is very difficult.

The difficulties of resolving this collusion problem arise from the fact that the secret parameters based on the ID information form dual structures comprising center secrets and personal secrets. With method 3, a cryptosystem is configured using the disclosed parameters of the center, the disclosed ID information of the individual entities, and the two types of secret parameters for the center and entities. Not only so, but it is necessary also to configure such that center secrets will not be revealed even if the entities compare the personal secrets distributed to each. Accordingly, there are many problems that must be resolved before this cryptosystem can be actually realized.

SUMMARY OF THE INVENTION

It is an object of the present invention to provide a secret key generation method, encryption method, and cryptographic communications method based on an ID-NIKS, wherewith specifying information (ID information) is divided into a plurality of portions, and all secret keys based on the divided specifying information are distributed to entities from each of a plurality of centers, whereby it is possible to minimize the mathematical structures, circumvent the collusion problem, and facilitate the construction of the cryptosystem.

Another object of the present invention is to provide a secret key generation method, encryption method, and cryptographic communications method that are more highly resistant to random number substitution attack.

According to a first aspect of the present invention, there is provided a secret key generation method for generating secret keys peculiar to entities that are to be sent from a center to the entities, characterized in that the secret keys peculiar to the entities are generated using divided specifying information resulting from the division of information specifying the entities.

According to a second aspect of the present invention, there is provided an encryption method wherein secret keys peculiar to entities are sent to the entities from the center respectively, and an entity encrypts plaintext to ciphertext using a secret key peculiar to that entity sent from the center, characterized in that the secret keys peculiar to the entities are generated using divided specifying information resulting from the division of information specifying the entities, and plaintext is encrypted to ciphertext at one entity that is a ciphertext sender using a common key generated from a component contained in its own secret key, the component corresponding to the divided specifying information of another entity that is a destination of the ciphertext.

According to a third aspect of the present invention, there is provided a cryptographic communications method for communicating information between entities, wherein one entity encrypts plaintext to ciphertext using a first common key derived from a first secret key peculiar to that entity sent from a center and sends the ciphertext to another entity (recipient), and the recipient decrypts the ciphertext to the plaintext using a second common key identical to the first common key, the second common key being derived from a second secret key peculiar to the recipient sent from the center, characterized in that a plurality of the centers are deployed, each of the centers generates secret keys peculiar to the entities using divided specifying information resulting from the division of information specifying the entities, and each of the entities generates the common key using a component, contained in its own secret key, corresponding to the divided specifying information of an opposite entity.

The reason why the various cryptosystems based on entity specifying information proposed for the purpose of resolving the collusion problem have been unsuccessful lies in excessively seeking mathematical structures to provide innovative techniques for preventing center secrets from being deduced from entity collusion information. When the mathematical structures are too complex, the method of demonstrating safety becomes very difficult. In the present invention, therefore, the mathematical structures are held to a bare minimum by dividing entity specifying information into a plurality of portions and distributing all the secret keys for each of the divided specifying information to the entities.

In the present invention, a plurality of centers are deployed, and each center generates a secret key corresponding to one unit (or piece) of divided specifying information for one entity. Accordingly, no single center holds all of the entity secrets and hence no center becomes a “big brother.” Also, because the mathematical structures are held down to a minimum, circumvention of the collusion problem is easily realized and the cryptosystem is also simple to implement. Furthermore, the secret keys peculiar to one entity for that entity to generate a common key have been sent from the centers and are stored from the start in table form, wherefore the time required for common key generation can be significantly shortened.

According to a fourth aspect of the present invention, there is provided a secret key generation method for generating secret keys specific to entities using divided specifying information resulting from the division of information specifying the entities into a plurality of blocks, characterized in that the secret key for a first block of divided specifying information has a multi-layer structure and each of the secret keys for the remaining blocks of divided specifying information has a single-layer structure.

According to a fifth aspect of the present invention, there is provided an encryption method wherein secret keys peculiar to entities are generated using divided specifying information resulting from the division of information specifying the entities into a plurality of blocks, plaintext is encrypted to ciphertext using a common key generated using a component, contained in the secret key, corresponding to the divided specifying information for an opposite entity to which the ciphertext is to be sent, characterized in that the secret key for a first block of divided specifying information has a multi-layer structure, and each of the secret keys for the remaining blocks of divided specifying information has a single-layer structure.

According to a sixth aspect of the present invention, there is provided a cryptographic communications method for communicating information between entities, wherein a plurality of centers are deployed, each of which generates secret keys peculiar to the entities using divided specifying information resulting from the division of information specifying the entities into a plurality of blocks, one entity generates a first common key using a first component contained in secret keys peculiar to that entity sent from the centers and corresponding to the divided specifying information of another entity (recipient), encrypts plaintext to ciphertext using the first common key, and sends the ciphertext to the recipient, the recipient generates a second common key identical to the first common key, using a second component contained in secret keys peculiar to the recipient sent from the centers and corresponding to the divided specifying information of the ciphertext sender, and decrypts the ciphertext to the original plaintext using the second common key, the secret key for a first block of divided specifying information has a multi-layer structure, and the secret keys for the remaining blocks of divided specifying information have a single-layer structure.

The present invention is configured in such a manner that the common key can only be derived after the computation for all blocks is complete, and a divided block of information specifying a specific entity cannot be attacked independently, whereupon random number substitution attack can be circumvented.

The term “recording medium” or “computer usable (or readable) medium” in this specification includes any physical object in which a program to be executed by CPU or the like is stored. For example, the “recording medium” includes a floppy disc, CD-ROM, hard disk drive, ROM, RAM, optical recording medium such as DVD, photo-magnetic recording medium such as MO, magnetic recording medium such as magnetic tape, and semiconductor memory such as IC card and miniature card. A data signal embodied in a carrier wave may be the computer readable medium.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a model diagram representing the configuration of a cryptographic communications system of the present invention;

FIG. 2 illustrates a model diagram representing an example of entity ID vector division;

FIG. 3 illustrates a model diagram showing how information is communicated between two entities;

FIG. 4 is a diagram representing the configuration of another cryptographic communications system according to the present invention;

FIG. 5 depicts another example of entity ID vector division;

FIG. 6 is a diagram showing how information is communicated between two entities; and

FIG. 7 is a diagram showing the configuration of a recording media.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

Embodiments of the present invention are now described.

FIG. 1 is a model diagram representing the configuration of an cryptographic communications system of the present invention. A plurality of centers 1 (K in number) which can be trusted to maintain information confidentiality are established. These centers 1 may be public institutions in a society, for example. The deployment of the plurality of centers 1 is the point of difference with the conventional third method.

These centers 1 are connected to a plurality of entities a, b, . . . , z that are the users employing this cryptosystem by secret channels (communication paths) 2 a1, 2 aK, 2 b1, . . . , 2 bK, . . . 2 z1, . . . , 2 zK. Secret information is sent from the centers 1 via these secret communication paths to the entities a, b, . . . , z. Communication paths 3 ab, 3 az, 3 bz, etc., are also provided between pairs of entities. Ciphertext obtained by encrypting communications information is sent back and forth between entities via these communication paths 3 ab, 3 az, 3 bz, etc.

1st Embodiment

A first embodiment that is a basic scheme of the present invention is described first.

Preparatory Processing at Centers 1:

The centers 1 prepare public keys and secret keys as follows and disclose the public keys.

Public key P Large prime number
L Size of ID vector (L = KM)
K Number of ID vector division
blocks
M Size of divided ID vector
Secret key g GF (P) primitive element
Hj Symmetrical 2M × 2M matrix formed
of random numbers
(j = 1, 2, . . . , K)
αij Personal secret random number of
entity i (where αi1αi2 . . . αiK ≡ 1
(mod P − 1))

ID vectors that are specifying information indicating the names and addresses of entities are made L-dimension binary vectors, and each of the ID vectors is divided into K blocks (each has a block size M) as diagrammed in FIG. 2. The ID vector for entity i (i.e. vector Ii), for example, is divided as indicated in formula 1 below. The vectors Iij (j=1, 2, . . . , K), that are divided specifying information, are called ID division vectors.
{right arrow over (I i)}=[{right arrow over (I i1)}|{right arrow over (I i2)}| . . . |{right arrow over (I iJ)}]  (1)

Entity Registration Processing:

When each of the centers 1 is requested by an entity i for registration, K secret vectors sij (j=1, 2, . . . K) corresponding, respectively, to a prepared key and K ID division vectors for entity i are found according to formulas 2-1, 2-2, . . . , 2-K, as represented below, the vectors sij so found are sent to entity i in secret, and registration is complete.

s i 1 g α i1 H 1 [ I i1 ] ( mod P ) (2-1) s i 2 α i2 H 2 [ I i2 ] ( mod P - 1 ) (2-2) s iK α iK H K [ I iK ] ( mod P - 1 ) (2-K)

However, when g is a scalar, and A and B are matrixes, the representation B=gA indicates that power multiplication on g is performed for each component (μ, ν) of A. In other words, the result is as given in formula 3 below. The representation Hj [vector Iij] indicates that one row corresponding to the vector Iij is extracted from the symmetrical matrix Hj, and the [·] operation is also defined for reference.
Bμν=gA μν   (3)

Processing for Generating Common Keys Between Entities:

Entity i selects from its own secret key vectors si1 a vector si1 [vector Im1] of the component corresponding to vector Im1 that is the ID division vector of entity m, and also selects from among the secret key vectors sij for each of the blocks j (j=2, . . . , K) the vector sij [vector Imj] of the component corresponding to the vector Imj. Then, entity i sequentially power-multiplies all of the vectors sij [vector Imj] (j=2, . . . , K) except for the vector si1 [vector Im1], with modulo P and the vector si1 [vector Im1] as the base, thereby deriving the common key Kim. The computation formula for finding this Kim specifically becomes formula 4 below. This Kim coincides with the common key Kmi derived at the entity m end.

K im s i1 [ I m1 ] s i2 [ I m2 ] s iK [ I mK ] g α i1 α iK · H 1 [ I i1 ] [ I m1 ] H K [ I iK ] [ I mK ] g H 1 [ I i1 ] [ I m1 ] H K [ I iK ] [ I nK ] ( mod P ) ( 4 )

Next, the communication of information between entities in the cryptosystem described above is described. FIG. 3 illustrates information communicated between two entities a and b. In the example diagrammed in FIG. 3, entity a encrypts a plaintext (message) M to a ciphertext C which it sends to entity b, and entity b decrypts that ciphertext C back to the original plaintext (message) M.

A secret key generator 1 a is provided at the j'th center 1 (where j=1, 2, . . . , K) for deriving the vectors saj and sbj (secret keys) peculiar to the entities a and b, respectively, following formula 2-j given earlier. Then, when a request for registration is tendered from the entities a and b, the secret key vectors saj and sbj for those entities a and b are sent to the entities a and b.

Entity a is provided with a memory 10 for storing, in tabular form, the characteristic secret key vectors sa1, . . . , saj, . . . , saK sent from the K centers 1, a component selector 11 for selecting from among those secret key vectors the vector sa1 [vector Ib1], . . . , vector saj [vector Ibj] . . . , vector saK [vector IbK] for the components corresponding to entity b, a common key generator 12 for generating the common key Kab with entity b sought by entity a using those components selected, and an encryptor 13 for encrypting the plaintext (message) M to the ciphertext C using that common key Kab and outputting it over the communication path 30.

Entity b, meanwhile, is provided with a memory 20 for storing, in tabular form, the characteristic secret key vectors sb1, . . . , sbj, . . . , sbK sent from the centers 1, a component selector 21 for selecting from among those secret key vectors the vector sb1 [vector Ia1], . . . , vector sbj [vector Iaj], . . . , vector sbK [vector IaK] for the components corresponding to entity a, a common key generator 22 for generating the common key Kba with entity a sought for by entity b using those components selected, and a decryptor 23 for decrypting the ciphertext C input from the communication path 30 to the plaintext (message) M using that common key Kba and outputting it.

When information is to be sent from entity a to entity b, first, the secret key vectors sa1, sa2, . . . , saK pre-stored in the memory 10 after being derived according to the formulas 2-1, 2-2, . . . , 2-K at the centers 1 are read out to the component selector 11. Then, the component selector 11 selects the vector sa1 [vector Ib1], vector sa2 [vector Ib2], . . . , and vector saK [vector IbK] that are the components corresponding to entity b, and sends them to the common key generator 12. The common key generator 12 uses these components to derive the common key Kab according to formula 4, and sends that common key Kab to the encryptor 13. With the encryptor 13, this common key Kab is used to encrypt the plaintext (message) M to the ciphertext C and the ciphertext C is sent via the communication path 30.

The ciphertext C sent over the communication path 30 is input to the decryptor 23 of entity b. The secret key vectors sb1, sb2, . . . , sbK derived according to formulas 2-1, 2-2, . . . , 2-K at the centers 1 and prestored in the memory 20 are read out to the component selector 21. Then, the component selector 21 selects the vector sb1 [vector Ia1], vector sb2 [vector Ia2], . . . , vector sbK [vector IaK] that are components corresponding to entity a, and sends them to the common key generator 22. The common key generator 22 uses these components to derive the common key Kba according to formula 4 and sends this common key Kba to the decryptor 23. The decryptor 23 uses the common key Kba to decrypt the ciphertext C to the plaintext (message) M.

In the scheme of the present invention, the secret key vectors peculiar to the entities are stored beforehand in the memories of the entities so that a shorter time is required to generate the common keys.

The safety provided by the scheme of the present invention is now discussed.

It is known that one of the conditions necessary to a safe ID-NIKS is the inability of separating the secret key generating functions and key sharing functions in polynomial time. A fact that the scheme of the present invention satisfies this necessary condition is described below.

Secret Key Generating Function:

The scheme of the present invention has a total of K secret key generating functions as indicated in formulas 5 and 6 below.

f 1 ( x ) = g α i1 H 1 [ x ] ( j = 1 ) ( 5 ) f j ( x ) = α ij H j [ x ] ( j = 2 , , K ) ( 6 )

If H is an arbitrary symmetrical matrix, then the referencing function [·] is clearly indivisible, as shown in formulas 7 and 8 below.

H [ x + y ] H [ x ] + H [ y ] ( 7 ) H [ x + y ] H [ x ] · H [ y ] ( 8 )

Thus, the K secret key generating functions represented in formulas 5 and 6 are indivisible, as shown in formula 9 below.

f j ( x + y ) f j ( x ) f j ( y ) ( j = 1 , 2 , , K ) ( 9 )

Key Sharing Function:

The key sharing function in the scheme of the present invention is represented in formula 10 below.

F ( x , y ) = g H 1 [ x 1 ] [ y 1 ] ⋯H K [ x K ] [ y K ] ( 10 )

As in the case of the secret key generating functions, the key sharing function represented in formula 10 is indivisible, as shown in formula 11 below.

F ( a , x + y ) F ( a , x ) F ( a , y ) ( 11 )

Attacks for breaking cryptosystems by the collusion of an indefinite number of entities (hereinafter “non-corrupting collusion”) has been debated for quite some time. At the same time, attacks conducted by a smaller number of collaborators wherein only entities necessary for the attack are bought (hereinafter “corrupting collusion”) are also effective if a certain individual is the only target. The safety of the scheme of the present invention against such corrupting and non-corrupting collusions is now considered.

Safety Against Non-Corrupting Collusion:

In cases where it is possible to represent the ID vector of any entity by a linear combination of collaborator ID vectors (combination attack) and either the secret key generating function or key sharing function is divisible in polynomial time, it is possible to counterfeit the secret keys of other entities from the secret keys of the collaborators (separation attack). Such an attack is known as a linear attack.

In the scheme of the present invention, the ID vector of any entity can be represented as a linear combination by using the ID vectors of L collaborators who are linearly independent. That is, a combination attack by L or more entities is viable. However, because the secret key generating functions and key sharing function are indivisible functions, as noted earlier, the secret key and common key of that entity cannot be counterfeited by a separation attack even in the unlikely case where a combination attack against any entity should become viable. Therefore the linear attack does not work with the scheme of the present invention. Accordingly, in the face of a non-corrupting collusion, the scheme of the present invention has a collusion threshold (minimum number of collaborators required for combination attack) that is far higher than L.

Safety Against Corrupting Collusion:

In cases where an attack is made against the scheme of the present invention wherein a specific entity is targeted, a random number substitution attack like that described below is conceivable wherein all of the entities required for the attack are bought out and all of the secret keys of the bought-out entities are used.

The situation is described in an example where the name is four Kanji characters (L=4×16=64 bits) so that the entity ID is easy to understand and each Kanji character is treated as 1 block. In other words, it is assumed that K=4 and M=16.

A case is now considered wherein the IDs of entities Z, A, B, C, and D are set as noted below, entities A, B, C, and D are bought out, and entity Z is attacked.

I Z = [ ] I A = [ ] I B = [ ] I C = [ ] I D = [ ]

The secret key of entity Z is then given as follows.

s Z 1 g α Z 1 H 1 [ ] ( mod P ) s Z 2 α Z 2 H 2 [ ] ( mod P - 1 ) s Z 3 α Z 3 H 3 [ ] ( mod P - 1 ) s Z 4 α Z 4 H 4 [ ] ( mod P - 1 )

The collaborators make the following computations and counterfeit the secret key of entity Z.

s Z 1 s A 1 g α A1 H 1 [ ] ( mod P ) s Z 2 s A 2 [ ] s B 2 [ ] · s B 2 α A2 H 2 [ ] [ ] α B2 H 2 [ ] [ ] · α B2 H 2 [ ] α A2 H 2 [ ] ( mod P - 1 ) s Z 3 s A 3 [ ] s C 3 [ ] · s C 3 α A3 H 3 [ ] [ ] α C3 H 3 [ ] [ ] · α C3 H 3 [ ] α A3 H 3 [ ] ( mod P - 1 ) s Z 4 s A 4 [ ] s D 4 [ ] · s D 4 α A4 H 4 [ ] [ ] α D4 H 4 [ ] [ ] · α D4 H 4 [ ] α A4 H 4 [ ] ( mod P - 1 )

It may be seen here that the counterfeited vectors sZ1′ to sZ4′ work in the same manner as the vectors sZ1 to sZ4 respectively. Hence the collusion attack is definitely viable against the scheme of the present invention in situations where it is possible to buy out enough entities to mount the attack.

In order for this corrupting collusion attack to be viable, however, it is necessary to acquire the secret keys of a collaborator having exactly the same ID division vectors as the K number of ID division vectors of the entity targeted for attack. For some specific block, only one entity in 2M entities has exactly the same ID division vectors. Buying all of the K blocks for this special entity, even assuming the values M=10 and K=100, is hardly an easy task. Accordingly, the scheme of the present invention may be said to be safe against corrupting collusions. The parameters M and K can be suitably set according to the scale of the cryptosystem and/or to the degree of safety required.

Now, in order to circumvent a random number substitution attack by corrupting collusion, it is only necessary to implement measures to prevent the division blocks from being independently attacked. In other words, it is only necessary to make it so that the random number terms disappear only after the computation of all of the blocks is complete. With this perspective, two embodiment are now described which represent improvements of the first embodiment.

2nd Embodiment

Another example of the present invention (2nd embodiment) is now described which is made stronger against random number substitution attack by combining a random number elimination method.

Preliminary Processing at Centers 1:

As in the first embodiment, the centers 1 prepare public keys and secret keys as follows and disclose the public keys.

Public key P Large prime number
L Size of ID vector (L = KM)
K Number of ID vector division
blocks
M Size of divided ID vector
Secret key g GF (P) primitive element
Hj Symmetrical 2M × 2M matrix formed
of random numbers
(j = 1, 2, . . . , K)
αi Personal secret random number of
entity i
(where αi1αi2 . . . αiK ≡ 1
(mod P − 1))

In order to employ the safety of RSA ciphers, P is set so that it is very difficult to factor P−1 into prime numbers. To do that it is only necessary to use a prime number such that P=2pq+1 (where p and q are prime).

As in the first embodiment, the ID vector of each of the entities is divided into K blocks (ID division vectors) having a block size M (cf. FIG. 2 and formula 1).

Furthermore, as indicated in formula 12 below, a hashing function h(·) for generating a second ID vector vi of K-1 dimension from the ID is disclosed by the centers 1. The components of this second ID vector vi generated with the hashing function take positive integers, and it is assumed that the sum thereof is a comparatively small constant e as represented in formula 13 below.

υ i = ( υ i2 , υ i3 , , υ iK ) = h ( ID i ) ( 12 ) j = 2 K υ ij = e ( 13 )

Entity Registration Processing:

When the centers 1 are requested by an entity i for registration, K secret vectors sij (j=1, 2, . . . , K) corresponding, respectively, to a prepared key and K ID division vectors for entity i are found according to formulas 14-1, 14-2, . . . , 14-K, as represented below, the vectors sij so found are sent to entity i in secret, and registration is complete.

s i 1 g α i - e H 1 [ I i 1 ] ( mod P ) ( 14 - 1 ) s i 2 α i H 2 [ I i 2 ] v i 2 ( mod P - 1 ) ( 14 - 2 ) s i K α i H K [ I i K ] v i K ( mod P - 1 ) ( 14 - K )

Processing for Generating Common Key Between Entities:

Entity i uses the disclosed hashing function h (·) to derive the second ID vector for an opposite entity m, namely vm, according to formula 15 below.

v m = ( v m 2 , v m 3 , , v m K ) = h ( I D m ) ( 15 )

Entity i selects from its own secret key vectors si1 a vector si1 [vector Im1] of the component corresponding to vector Im1 that is the ID division vector of entity m, and also selects from among the secret key vectors sij for the blocks j (j=2, . . . , K) the vector sij [vector Imj] of the component corresponding to the vector Imj. Then, entity i sequentially performs power-multiplications, repeatedly for vmj times, on all the vectors sij [vector Imj] (j=2, . . . , K) except for vector si1 [vector Im1], with modulo P and the vector si1 [vector Im1] as the base, thereby deriving the common key Kim. The computation formula for finding this Kim specifically becomes formula 16 below. This Kim coincides with the common key Kmi obtained by the entity m.

K i m = s i 1 [ I m 1 ] s i 2 [ I m 2 ] v m 2 s i K [ I m K ] v m K = g α i - e α i e · H 1 [ i 1 ] [ m 1 ] · H 2 [ i 2 ] [ m 2 ] v m 2 H K [ i K ] [ m K ] v m K = g H 1 [ i 1 ] [ m 1 ] · H 2 [ i 2 ] [ m 2 ] v i 2 v m 2 H K [ i K ] [ m K ] v i K v m K ( mod P ) ( 16 )
where {right arrow over ([Iij])} is abbreviated [ij] from the second equation on

Safety Against Random Number Substitution Attack:

Generally, in actual examples of the aforementioned entities A and B, we will have vA2≠vB2, so that as shown below in formula 17, the random number substitution attack is not viable.

s Z 2 s A 2 [ ] s B 2 [ ] · s B 2 α A H 2 [ ] [ ] υ A2 α B H 2 [ ] [ ] υ B2 · α B H 2 [ ] α A H 2 [ ] ( mod P - 1 ) ( 17 )

3rd Embodiment

Another example (third embodiment) of the present invention is now described wherewith the personal random number elimination process is rendered complex by the addition of a constant term.

Preliminary Processing at Centers 1:

As in the first embodiment, the centers 1 prepare public keys and secret keys as follows and disclose the public keys.

Public key N N = PQ (where P and Q are large
prime numbers)
L Size of ID vector (L = KM)
K Number of ID vector division
blocks
M Size of divided ID vector
Secret key g Maximum generating element with
modulo N
Hj Symmetrical 2M × 2M matrix formed
of random numbers
(j = 1, 2, . . . , K)
αij Personal secret random number of
entity i
where αi1αi αiK ≡ 1 (mod λ (N))
and λ(·) is Carmichael function

Also, as in the first embodiment, the ID vector of each entity is divided into K blocks (ID division vectors) having a block size of M (cf. FIG. 2 and formula 1).

Entity Registration Processing:

When the centers 1 are requested by an entity i for registration, K secret vectors sij (j=1, 2, . . . , K-1, K) corresponding, respectively, to a prepared key and K ID division vectors for entity i are found according to formulas 18-1, 18-2, . . . , 18-K-1, 18-K, as represented below.

s i 1 g α i 1 H 1 [ I i 1 ] ( mod N ) ( 18 - 1 ) s i 2 α i H 2 [ I i 2 ] + β i 2 ( 18 - 2 ) s i , K - 1 α i H K - 1 [ I i , K - 1 ] + β i , K - 1 ( 18 - K - 1 ) s i K α i K H K [ I i K ] ( 18 - K )

The third embodiment further adds K-2 personal random numbers βi2, . . . , βi,K-1 to the first embodiment wherein αi2= . . . αi,K-1i and αi1αi αiK=1 (mod λ(N)). The centers 1 derive the vectors ti according to formula 19 below. It should be assumed here that βii2+ . . . +βi,K-1. The derived vectors sij and ti are sent to entity i in secret and registration is complete.

t i g - α i 1 H 1 [ I i 1 ] β i ( mod N ) ( 19 )

Processing for Generating Common Key Between Entities:

Entity i first, from the secret key vectors sij for the blocks j (j=2, . . . , K-1), selects column vectors sij[vectors Imj] corresponding to the vectors Imj that are the ID division vectors of entity m, block by block, and finds the sum Sim thereof by formula 20 below.

S im = j = 2 K - 1 s ij [ I mj ] = α i j = 2 K - 1 H j [ I ij ] [ I mj ] + β i ( 20 )

Entity i, from among the secret key vector si1 for its own first block and the secret key vector siK for the last block, selects the column corresponding to the vectors Imj that are the ID division vectors of entity m, and performs the calculation shown below in formula 21 using sim and vectors ti to derive the common key Kim. This Kim coincides with the common key Kmi derived by entity m.

K im ( t i [ I m 1 ] · s i 1 [ I m 1 ] s i m ) s i K [ I mK ] g α i 1 α i α i K · H 1 [ i1 ] [ m1 ] ( j = 2 K - 1 H j [ i j ] [ mj ] ) H K [ iK ] [ mK ] g H 1 [ i1 ] [ m1 ] ( j = 2 K - 1 H j [ ij ] [ mj ] ) H K [ iK ] [ mK ] ( mod N ) ( 21 )
where {right arrow over ([Iij])} is abbreviated [ij] from the second equation on

Safety Considerations:

In this formula, if settings are made as in formula 22 below, the expression Kim=xim2 xim3 . . . xim,K-1 will result, and, by gathering together numerous formulas wherein xim2, xim3, . . . , xim,K-1 are variables, it is theoretically possible to counterfeit keys.

x i m 2 = g H 1 [ i 1 ] [ m 1 ] H 2 [ i 2 ] [ m 2 ] H K [ i K ] [ m K ] x i m 3 = g H 1 [ i 1 ] [ m 1 ] H 3 [ i 3 ] [ m 3 ] H K [ i K ] [ m K ] x i m , K - 1 = g H 1 [ i 1 ] [ m 1 ] H K - 1 [ i , K - 1 ] [ m , K - 1 ] H K [ i K ] [ m K ] ( 22 )

However, with the scheme of the present invention, the mathematical structures are held down to a minimum, and there is no structure in their variables that is separable, whereupon it becomes necessary to attack all of these variables as independent variables, thus requiring an extremely enormous number of collaborators. Even if the final block is susceptible to elimination by a random number substitution attack, the terms expressed in formula 22 must be attacked as independent variables. Thus, in the case where M=10, for example, it becomes necessary to amass 220 specific equations in order to attack, so safety is enhanced.

Although the third embodiment pertains to a case wherein a composite number N difficult of prime factoring is used as the modulus, the same thing can of course be done in the case where N=P.

4th Embodiment

FIG. 4 is a model diagram showing the configuration of a cryptographic communications system of the present invention. A plurality (K) of centers 1 which can be trusted to maintain information confidentiality are established. These centers 1 may be public institutions in a society, for example.

These centers 1 and a plurality of entities a, b, . . . , z that are users of this cryptosystem are connected by secret communication paths 2 a1, . . . , 2 aK, 2 b1, . . . , 2 bK, . . . , 2 z1, . . . , 2 zK. Thus secret key information can be sent to the entities a, b, . . . , z from the centers 1 via the secret communication paths. Communication paths 3 ab, 3 az, 3 bz, etc., are also deployed between pairs of entities so that ciphertext resulting from encrypting communications information can be sent back and forth between entities via those communication paths 3 ab, 3 az, 3 bz, etc.

Preparatory Processing at Centers 1:

The centers 1 prepare public keys and secret keys as shown below, and discloses the public keys.

Public key N N = PQ
K Number of ID vector division
blocks
Mj Size of divided ID vector (where
j = 1, 2, . . . , K)
L Size of ID vector (L = M1 + M2 +
. . . + MK)
T Degree of exponent portion
Secret key P,Q Large prime numbers
g Maximum generating element with
modulo N
Hj Symmetrical 2Mj × 2Mj matrix
formed of random numbers
αi Personal secret random number of
entity i
(where gcd (αi, λ(N)) = 1 and
λ(·) is Carmichael function)
βij Personal secret random number of
entity i (where βi1 + βi2 + . . . +
βiK = λ(N))

It should be assumed that ID vectors that are specifying information indicating the names and addresses of entities are L-dimension binary vectors, and each of their ID vectors is divided into K blocks (block sizes are M1, M2, . . . , MK), as diagrammed in FIG. 5. The ID vector for entity i (i.e. vector Ii), for example, is divided as indicated in formula 23 below. The vectors Iij (j=1, 2, . . . , K), that are divided specifying information, are called ID division vectors.

I i = [ I i 1 I i 2 I i K ] ( 23 )

Entity Registration Processing:

When the centers 1 are requested by an entity i for registration, K secret key vectors sij (j=1, 2, . . . , K) corresponding, respectively, to a prepared key and K ID division vectors for entity i are calculated according to formulas 24-1, 24-2, . . . , 24-j, . . . , 24-K below.

s i 1 = α i H 1 [ I i 1 ] + β i 1 1 ( 24 - 1 ) s i 2 = α i H 2 [ I i 2 ] + β i 2 1 ( 24 - 2 ) s i j = α i H j [ I i j ] + β i j 1 ( 24 - j ) s i K = α i H K [ I i K ] + β i K 1 ( 24 - K )

Vector 1 represents a vector of K dimension wherein all of the components are 1. The representation Hj [vector Iij] indicates a row, corresponding to the vector Iij, extracted from the symmetrical matrix Hj, and the [·] operation is also defined for reference.

Next, for the 1st block, T+1 secret key vectors git (t=0, 1, 2, . . . , T) are calculated according to formulas 25-0, 25-1, 25-2, . . . , 25-t, . . . , 25-T below.

g i 0 g α i - T 1 ( mod N ) ( 25 - 0 ) g i 1 g α i - T s i 1 ( mod N ) ( 25 - 1 ) g i 2 g α i - T s i 1 2 ( mod N ) ( 25 - 2 ) g i t g α i - T s i 1 t ( mod N ) ( 25 - t ) g i T g α i - T s i 1 T ( mod N ) ( 25 - T )

It should be assumed that when c is a scalar and A and B indicated in formulas 26 and 27 are matrixes, the expressions B=cA and B=<A>c correspond to formulas 28 and 29, respectively.
A=(aμν)  (26)
B=(b μν)
bμν=ca μν   (28)
bμν=aμν c  (29)

One of the centers 1 sends the T+1 secret key vectors git (t=0, 1, 2, . . . , T) relating to 1st block to entities i in secret, while the remaining (K-1) centers 1 send K-1 secret key vectors sij (j=2, 3, . . . , K) relating to the blocks from the second to the last to entities i in secret.

Processing for Generating Common Key Between Entities:

Entity i, for the 1st block, selects from its own T+1 secret key vectors git a vector git [vector Im1] of the component corresponding to vector Im1 that is the ID division vector of entity m. The vectors selected are represented below in formulas 30-0, 30-1, . . . , 30-t, . . . 30-T.

g 0 i m = g i 0 [ I m 1 ] ( 30 - 0 ) g 1 i m = g i 1 [ I m 1 ] ( 30 - 1 ) g t i m = g i t [ I m 1 ] ( 30 - t ) g T i m = g i T [ I m 1 ] ( 30 - T )

Next, entity i, for the blocks 2, 3, . . . , K for j=2, 3, . . . , K, selects, from its own secret key vectors sij, vectors sij [vectors Imj] of the components corresponding to vectors Imj that are the ID division vectors of entity m, block by block. The vectors selected are represented below in formulas 31-2, . . . , 31-J, . . . , 31-K.

x 2 i m = s i 2 [ I m 2 ] ( 31 - 2 ) x j i m = s i j [ I m j ] ( 31 - j ) x K i m = s i K [ I m K ] ( 31 - K )

Then, the sum yim for all of these is found on the integer ring as in formula 32 below.

y im = j = 2 K x jim ( 32 )

And, by performing calculation as in formula 33 below, with modulo N, the common key Kim is derived. In the calculation in this formula 33, by completing the calculations for all of the blocks, the personal secret random number αi is eliminated by multiplication by the inverse element thereof, and the personal secret random numbers βij, which are K in number, are eliminated by additions therefor. This Kim coincides with the common key Kmi derived by entity m.

K im t = 0 T g tim T C t y im ( T - t ) g α i - T t = 0 T C t T x 1 im t y im T - t g α i - T ( x 1 im + y im ) T g α i - T ( x 1 im + + x Kim ) T g α i - T ( α i H 1 [ I i 1 ] [ I m 1 ] + β i1 + + α i H K [ I iK ] [ I mK ] + β iK ) T g α i - T { α i ( H 1 [ I i 1 ] [ I m 1 ] + + H K [ I iK ] [ I mK ] ) + λ ( N ) } T g α i - T { α i ( H 1 [ I i 1 ] [ I m 1 ] + + H K [ I iK ] [ I mK ] ) } T g ( H 1 [ I i 1 ] [ I m 2 ] + + H K [ I iK ] [ I mK ] ) T ( mod N ) ( 33 )

In the formula above we assumed x1im=vector si1 [vector Im1], but this is not even known to entity i itself. Also, because T is a comparatively small number, the exponent portion can be calculated by successively and repeatedly performing power multiplication.

In the example described in the foregoing, the size Mj of the blocks may be constant for all blocks or, alternatively, some or all of the blocks may have different sizes. However, the secret key vector git is derived in relation to the 1st block, wherefore, when that size is made constant for all blocks, the secret becomes large for the 1st block. Thus, it is better to make the size of the 1st block smaller than the sizes of the other blocks. When M1=1, in particular, the secrets distributed can be minimized and safety most enhanced.

Let us now consider the safety of the present invention against a collusive attack such as an attack against the whole cryptosystem by the collusion of a large indefinite number of entities. If the total number of entities is 1 million, then 1000000 ≈220, wherefore Mj=1 and K=20. If T=32, then the number of exponent portion terms in the common key Kim becomes 20H32=51C32≈4.85×1013. This number of terms exceeds the total number of keys shared between all entities, namely 1000000C2≈5×1012. Accordingly the condition that number of terms>total number of shared keys is satisfied and safety against collusive attack is realized.

The communication of information between entities in the cryptosystem described in the foregoing is described next. FIG. 6 is a model diagram showing how information is communicated between two entities a and b. In the example diagrammed in FIG. 6, entity a encrypts a plaintext (message) M to the ciphertext C which it sends to entity b, and entity b decrypts that ciphertext C back to the original plaintext (message) M.

The first of the centers 1 is equipped with a secret key generator 1 a which computes secret key vectors sa1 and sb1 peculiar to the entities a and b, and the secret key vectors gat and gbt (t=0, 1, 2, . . . , T) numbering T+1, according to the formulas 24-1, 25-0, . . . , 25-T given earlier. Then, when registration requests are made by the entities a and b, the secret key vectors gat and gbt for those entities a and b are sent to the entities a and b.

The j'th center 1 (where j=2, 3, . . . , K) is equipped with a secret key generator 1 a for computing the secret key vectors saj and sbj peculiar to the entities a and b according to the formulas 24-2, . . . , 24-K given earlier. When registration requests are made by the entities a and b, the secret key vectors saj and sbj for those entities a and b are sent to the entities a and b.

Entity a is provided with a memory 10 for storing, in tabular form, the secret key vectors gat (t=0, 1, 2, . . . , T) and saj (j=2, 3, . . . , K) sent from the centers 1, a component selector 11 for selecting from among those secret key vectors the vector gat [vector Ib1] (t=0, 1, 2, . . . , T) and the vector saj [vector Ibj] (j=2, 3, . . . , K) for the components corresponding to entity b, a common key generator 12 for generating the common key Kab with entity b derived by entity a using those components selected, and an encryptor 13 for encrypting the plaintext (message) M to the ciphertext C using the common key Kab and outputting it over the channel 30.

Entity b is provided with a memory 20 for storing, in tabular form, the secret key vectors gbt (t=0, 1, 2, . . . , T) and sbj (j=2, 3, . . . , K) sent from the centers 1, a component selector 21 for selecting from among the secret key vectors the vector gbt [vector Ia1] (t=0, 1, 2, . . . , T) and the vector sbj [vector Iaj] (j=2, 3, . . . , K) for the components corresponding to entity a, a common key generator 22 for generating the common key Kba with entity a derived by entity b using those components selected, and a decryptor 23 for decrypting the ciphertext C input from the channel 30 to the plaintext M using the common key Kba and outputting it.

When information is to be sent from entity a to entity b, first, the secret key vectors gat (t=0, 1, 2, . . . , T) and saj (j=2, 3, . . . , K) pre-stored in the memory 10 after being derived at the centers 1 are read out to the component selector 11. The component selector 11 then selects the vector gat [vector Ib1] (t=0, 1, 2, . . . , T) and the vector saj [vector Ibj] (j=2, 3, . . . , K) that are the components corresponding to entity b and sends them to the common key generator 12. The common key generator 12 uses these components to derive the common key Kab according to formula 33, and sends the common key Kab to the encryptor 13. The encryptor 13 utilizes this common key Kab to encrypt the plaintext M to the ciphertext C and sends the ciphertext C via the channel 30.

The ciphertext C sent over the channel 30 is input to the decryptor 23 of entity b. The secret key vectors sbj (j=2, 3, . . . , K) and gbt (t=0, 1, 2, . . . , T) derived at the centers 1 and prestored in the memory 20 are read out to the component selector 21. Then, the component selector 21 selects the vector gbt [vector Ia1] (t=0, 1, 2, . . . , T) and the vector sbj [vector Iaj] (j=2, 3, . . . , K) that are components corresponding to entity a and sends them to the common key generator 22. The common key generator 22 uses these components to derive the common key Kba according to formula 33 and sends this common key to the decryptor 23. The decryptor 23 uses the common key Kba to decrypt the ciphertext C to the plaintext M.

In the above-described example, centers are deployed in a plurality, and these centers generate a plurality of keys corresponding to a plurality of units (pieces) of entity ID information respectively. In other words, each center generates a key for a certain segment of entity ID information. Therefore no single center can hold all entity secrets, and the centers cannot become “big brothers.” Also, the secret key vectors peculiar to the respective entities are stored beforehand in the memories of the entities, so the time required for generating common keys can be shortened.

FIG. 7 is a configurational diagram of an embodiment of recording media according to the present invention. The program exemplified here, which is recorded on recording media described below, comprises processes for selecting components corresponding to entity m from among the secret key vectors sij and git sent to entity i from the centers and processes for finding a common key Kimusing those components so selected. A computer 40 is provided at each entity.

In FIG. 7, a recording medium 41 that connects the computer 40 online employs a WWW (world wide web) server computer, for example, located remotely from the site where the computer 40 is installed. A program 41 a such as that described above is recorded on the recording medium 41. The program 41 a read out from the recording medium 41 controls the computer 40 and thereby computes common keys at the entities for other entities to be communicated with.

A recording medium 42 provided internally in the computer 40 is a built-in hard disk drive or ROM, for example, and a program 42 a as described above is recorded on the recording medium 42. The program 42 a read out from the recording medium 42 controls the computer 40 and thereby computes common keys at the entities for other entities to be communicated with.

A recording medium 43 loaded in a disk drive 40 a of the computer 40 is a portable optical-magnetic disk, CD-ROM, or flexible disk, etc. A program 43 a such as described above is recorded on the recording medium 43. The program 43 a retrieved from the recording medium 43 controls the computer 40 and thereby computes common keys at the entities for other entities to be communicated with.

With the present invention, as described in the foregoing, entity ID information is divided into a plurality of segments or pieces and a plurality of centers are established for these entity ID information pieces respectively such that each of the centers generates a particular key for a particular piece of entity ID information. Therefore, no single center can grasp all entity secrets or can become a “big brother.” In addition, the mathematical structures are held down to a minimum, so that it is easy both to effectively circumvent the collusion problem and to implement the cryptosystem. Furthermore, because the entities are in possession beforehand of secret keys peculiar thereto, the time required for generating common keys can be significantly shortened.

With an ID-NIKS based on the third conventional method described earlier, in general, L×L symmetrical matrixes are center secrets, and a portion of that information is treated as a vector comprising L components and distributed to the entities. This scheme is very easy to implement but the collusion threshold is no more than approximately L. With the scheme of the present invention, on the other hand, a collusion threshold can be obtained which is far greater than L.

With the conventional scheme, by employing 2M×2M center secret matrixes, it is possible to configure an ID-NIKS having the same level of collusion threshold as the present invention. An ID-NIKS configured in such manner is not practical, however, because it requires 2M product computations or power-multiplication computations for key sharing. Another problem with such an ID-NIKS is that almost all schemes are divisible so that secret keys can be counterfeited for entities expressed by the linear combination of some collaborators. With the scheme of the present invention, on the other hand, the number of secret keys held becomes more numerous, but the common keys can be shared by making K-1 power-multiplication computations, at most, key generation can be done at very high speed, and, even though some entities might be expressed by the linear combination of collaborators, it is still possible to prevent the counterfeiting of secret keys for those entities.

With the present invention, moreover, the random number terms are eliminated only after all blocks have been completely computed, wherefore divided blocks cannot be independently attacked and it is possible to circumvent random number substitution attack.

The above illustrated and described secret key generation method, encryption method, cryptographic communications method, common key generator, cryptographic communications system, and recording media are disclosed in Japanese Patent Application Nos. 11-16257 and 11-59049 filed on Jan. 25, 1999 and Mar. 5, 1999 respectively, the instant application claims priority of these Japanese Applications, and the entire disclosure thereof is herein incorporated by reference.

Patent Citations
Cited PatentFiling datePublication dateApplicantTitle
US4736423 *Jan 31, 1986Apr 5, 1988International Business Machines CorporationTechnique for reducing RSA Crypto variable storage
US5016276May 7, 1990May 14, 1991Kabushiki Kaisha AdvanceCommon cryptokey generation system and communication system using common cryptokeys
US5220606 *Feb 10, 1992Jun 15, 1993Harold GreenbergCryptographic system and method
US5241599 *Oct 2, 1991Aug 31, 1993At&T Bell LaboratoriesCryptographic protocol for secure communications
US5539827 *Apr 5, 1995Jul 23, 1996Liu; ZunquanDevice and method for data encryption
US5588061 *Jul 20, 1994Dec 24, 1996Bell Atlantic Network Services, Inc.System and method for identity verification, forming joint signatures and session key agreement in an RSA public cryptosystem
US5764772 *Dec 15, 1995Jun 9, 1998Lotus Development CoporationDifferential work factor cryptography method and system
US5987128 *Feb 21, 1997Nov 16, 1999Card Call Service Co., Ltd.Method of effecting communications using common cryptokey
US5987129 *Feb 21, 1997Nov 16, 1999Card Call Service Co., Ltd.Method of sharing cryptokey
JPH04245287A Title not available
Non-Patent Citations
Reference
1A. Fujikawa et al., "Computationally Secure ID-NIKS", Technical Report of IEICE, Jul. 1996.
2Adi Shamir, "Identity-Based Cryptosystems and Signature Schemes", Advances in Cryptology: proceedings of CRYPTO 84 / edited by G.R. Blakley and David Caum / Berlin; Tokyo: Springer-Verlag, pp. 47-53.
3M. Kasahara et al., "Common-key Sharing Scheme Based on Double Exponential Function", Technical Report of IEICE May 1999.
4Rolf Blom, "Non-Public Key Distribution", Advances in cryptology: proceedings of CRYPTO 82 / edited by David Chaum, Ronald L. Rivest, and Alan T. Sherman / New York: Plenum Press, pp. 231-236.
5S. Tsujii et al., "A New Concept of Key Sharing Systems", The 1999 Symposium on Cryptography and Information Security, Jan. 1999.
Referenced by
Citing PatentFiling datePublication dateApplicantTitle
US7620187Mar 30, 2005Nov 17, 2009Rockwell Collins, Inc.Method and apparatus for ad hoc cryptographic key transfer
US7958354Feb 14, 2008Jun 7, 2011Rockwell Collins, Inc.High-order knowledge sharing system to distribute secret data
US8059816 *May 3, 2006Nov 15, 2011Temple University Of The Commonwealth System Of Higher EducationSecret sharing technique with low overhead information content
US8090097Sep 8, 2007Jan 3, 2012Frank RubinDevice, system and method for cryptographic key exchange
US8098815Sep 8, 2007Jan 17, 2012Frank RubinDevice, system and method for cryptographic key exchange
US8121287 *Jun 5, 2008Feb 21, 2012International Business Machines CorporationSystem, method, and service for performing unified broadcast encryption and traitor tracing for digital content
US8166532Oct 10, 2006Apr 24, 2012Honeywell International Inc.Decentralized access control framework
WO2012100352A1 *Jan 27, 2012Aug 2, 2012Royal Canadian Mint/Monnaie Royal CanadienneControlled security domains
Classifications
U.S. Classification380/44, 380/259, 726/3
International ClassificationH04L9/00
Cooperative ClassificationH04L9/083, H04L9/0847
European ClassificationH04L9/08F4D, H04L9/08F2H
Legal Events
DateCodeEventDescription
Jun 20, 2010LAPSLapse for failure to pay maintenance fees
Jan 25, 2010REMIMaintenance fee reminder mailed
Aug 14, 2007CCCertificate of correction
Jan 24, 2000ASAssignment
Owner name: MURATA KIKAI KABUSHIKI KAISHA, JAPAN
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MURAKAMI, YASUYUKI;REEL/FRAME:010550/0189
Effective date: 20000112